CVE-2023-22817

Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressedby fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
WDC PSIRTCNA
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
VendorProductVersion
westerndigitalmy_cloud_pr2100_firmware
𝑥
< 5.27.161
westerndigitalmy_cloud_pr4100_firmware
𝑥
< 5.27.161
westerndigitalmy_cloud_ex4100_firmware
𝑥
< 5.27.161
westerndigitalmy_cloud_ex2_ultra_firmware
𝑥
< 5.27.161
westerndigitalmy_cloud_mirror_g2_firmware
𝑥
< 5.27.161
westerndigitalmy_cloud_dl2100_firmware
𝑥
< 5.27.161
westerndigitalmy_cloud_dl4100_firmware
𝑥
< 5.27.161
westerndigitalmy_cloud_ex2100_firmware
𝑥
< 5.27.161
westerndigitalmy_cloud_glacier_firmware
𝑥
< 5.27.161
westerndigitalwd_cloud_firmware
𝑥
< 5.27.161
westerndigitalmy_cloud_home_firmware
𝑥
< 9.5.1-104
westerndigitalmy_cloud_home_duo_firmware
𝑥
< 9.5.1-104
westerndigitalsandisk_ibi_firmware
𝑥
< 9.5.1-104
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update
https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update